DES-CBC-SHA is LOW cipher and disabled by default and it is used in
tests of hornorcipherorder. They are changed as to
- use RC4-SHA instead of DES-CBC-SHA.
- add ECDHE-RSA-AES256-SHA to entries to keep the number of ciphers.
- remove tests for non-default cipher because only SEED and IDEA are
available in !RC4:!HIGH:ALL.
Fixes: https://github.com/nodejs/LTS/issues/85
PR-URL: https://github.com/nodejs/node/pull/5712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
backport fix for test-http-get-pipeline-problem.js from master
to 0.12.X. We've been seeing an intermittent failure
in runs for zLinux with SLES 12. We confirmed that this fix
resolves the issue so would like it in 0.12.X
The original commit does not apply cleanly as the paths were
changed, but the actual change is identical. The original commit was:
3ba4f71fc4
PR-URL: https://github.com/nodejs/node/pull/3013
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Invoke MSBuild specifying the target platform as generated by Gyp.
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/5627
Notable changes:
* openssl: Fully remove SSLv2 support, the `--enable-ssl2` command
line argument will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using SSLv2.
The SSLv2 protocol is widely considered unacceptably broken and
should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
Note that the upgrade to OpenSSL 1.0.1s in Node.js v0.12.11 removed
internal SSLv2 support. The change in this release was originally
intended for v0.12.11. The `--enable-ssl2` command line argument now
produces an error rather than being a no-op.
Remove support for SSLv2 because of DROWN (CVE-2016-0800).
Use of the `--enable-ssl2` flag is now an error; node will print an
error message and exit.
PR-URL: https://github.com/nodejs/node/pull/5536
Reviewed-By: Rod Vagg <rod@vagg.org>
Notable changes:
* http_parser: Update to http-parser 2.3.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5241
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3885
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3885
* openssl: Upgrade from 1.0.2f to 1.0.2g
(Ben Noordhuis) https://github.com/nodejs/node/pull/5509
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading
to the potential recovery of entire RSA private keys. It only
affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
Fixes http-parser regression with IS_HEADER_CHAR check
Add test case for obstext characters (> 0x80) in header
PR-URL: https://github.com/nodejs/node/pull/5241
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
It is possible that the internal handleMessage() might try to send to
a channel that has been closed. The result can be an AssertionError.
Guard against this.
Fixes: https://github.com/nodejs/node/issues/4205
PR-URL: https://github.com/nodejs/node/pull/5153
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit prevents child process stdio streams from being
automatically flushed on child process exit/close if a 'readable'
event handler has been attached at the time of exit.
Without this, child process stdio data can be lost if the process
exits quickly and a `read()` (e.g. from a 'readable' handler)
hasn't had the chance to get called yet.
Fixes: https://github.com/nodejs/node/issues/5034
PR-URL: https://github.com/nodejs/node/pull/5037
Reviewed-By: James M Snell <jasnell@gmail.com>
Fix node exiting due to an exception being thrown rather than emitting
an 'uncaughtException' event on the process object when:
1. no error handler is set on the domain within which an error is thrown
2. an 'uncaughtException' event listener is set on the process
Also fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and --abort-on-uncaught-exception is used.
Fixes#3607 and #3653.
PR: #3885
PR-URL: https://github.com/nodejs/node/pull/3885
Reviewed-By: James M Snell <jasnell@gmail.com>
d1ba82af1c2528c71e1b6b6a57844a7519b66ccb "fixed"
test-domain-exit-dispose-again by changing its logic to test that
process.domain was cleared properly in case an error was thrown from
a timer's callback.
However, it became clear when reviewing a recent change that refactors
lib/timers.js that it was not quite the intention of the original test.
Thus, this change adds the original implementation of
test-domain-exit-dispose-again back, with comments that make its
implementation easier to understand.
It also preserves the changes made by
d1ba82af1c2528c71e1b6b6a57844a7519b66ccb, but it moves them to a new
test file named test-timers-reset-process-domain-on-throw.js.
PR: #4278
PR-URL: https://github.com/nodejs/node/pull/4278
Reviewed-By: James M Snell <jasnell@gmail.com>
PR #3890 [1] introduced the variable ALLOW_INSECURE_SERVER_DHPARAM defined
in src/node_crypto.cc. However, if nodejs is built without OpenSSL support,
the build fails:
error: ‘ALLOW_INSECURE_SERVER_DHPARAM’ was not declared in this scope
ALLOW_INSECURE_SERVER_DHPARAM = true;
Fix this by using the preprocessor macro HAVE_OPENSSL to opt-out the use of
ALLOW_INSECURE_SERVER_DHPARAM in non-OpenSSL builds.
[1] https://github.com/nodejs/node/pull/3890
PR-URL: https://github.com/nodejs/node/pull/4201
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
test-domain-exit-dispose-again had been written for node v0.10.x, and
was using the fact that callbacks scheduled with `process.nextTick`
wouldn't run if the domain attached to it was disposed.
This is not longer the case, and as a result the test would not catch
any regression: it would always pass.
This change rewrites that test to check that the current domain is
cleared properly when processing the rest of the timers list if a
timer's callback throws an error. This makes the test fail without the
original fix, and pass with the original fix, as expected.
PR: #3991
PR-URL: https://github.com/nodejs/node/pull/3991
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
The call to node::Environment::GetCurrent(Isolate*) makes the call to
v8::Isolate::GetCurrentContext(). Doing so creates a new handle that
bubbled to the v8::SealHandleScope().
PR-URL: https://github.com/nodejs/node/pull/3945
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James Snell <jasnell@gmail.com>
Original commit message:
api: introduce SealHandleScope
When debugging Handle leaks in io.js we found it very convenient to be
able to Seal some specific (root in our case) scope to prevent Handle
allocations in it, and easily find leakage.
R=yangguo
BUG=
Review URL: https://codereview.chromium.org/1079713002
Cr-Commit-Position: refs/heads/master@{#27766}
Should help us identify and fix Handle leaks in core and user-space code.
PR-URL: https://github.com/nodejs/node/pull/3945
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James Snell <jasnell@gmail.com>
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.3.0 to 2.3.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/24
PR-URL: https://github.com/nodejs/node/pull/4894
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
* Include reference to CVE-2015-8027
* Fix "socket may no longer have a socket" reference
* Expand on non-existent parser causing the error
* Clarify that CVE-2015-3194 affects TLS servers using _client
certificate authentication_
PR-URL: https://github.com/nodejs/node/pull/4154
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Backport the tools/install.py changes from 628a3ab that were missed
when 6fb0b92 backported the corresponding changes to the Makefile to
build the headers only archive.
PR-URL: https://github.com/nodejs/node/pull/4149
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rod Vagg <rod@vagg.org>
This replaces all sources of openssl-1.0.1r.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/4967
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
deps: copy all openssl header files to include dir
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/4967
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
deps: separate sha256/sha512-x86_64.pl for openssl
sha256-x86_64.pl does not exist in the origin openssl distribution. It
was copied from sha512-x86_64.pl and both sha256/sha512 scripts were
modified so as to generates only one asm file specified as its key
hash length.
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
deps: fix openssl assembly error on ia32 win32
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
openssl: fix keypress requirement in apps on win32
reapply b910613792
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
deps: add -no_rand_screen to openssl s_client
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
(cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74)
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25368
The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/21
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket but a
pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133
PR-URL: https://github.com/nodejs/node-private/pull/13
When MSBuild invokes rc.exe, it passes NODE_TAG unstringified, but
passes it correctly to cl.exe. Hence, this workaround was made to
apply only to the resource file.
Fixes: https://github.com/nodejs/node/issues/2963
PR-URL: https://github.com/nodejs/node/pull/3053
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
As part of the fix for logjam, node was upgraded to a
level of openssl which rejects connections to servers that
are using keys smaller than 768 bits. It is still possible,
however, to create a server that uses a smaller key size
and and older client may be able to connect to it.
This PR moves us to a secure by default stance on the
server side as well, preventing the creation of a server
using a dhe key size less than 768. This can be overridden
with the command line option which is also added.
It is derived from
9b35be5810
which was landed in later io.js/node versions but makes
the limit 1024. This PR uses the smaller limit in order
to meet the recomendations for logjam while matching was
was done on the client side in openssl to minimize the
potential impacton users.
The command line option will only be documented in the
release notes and will not be added to the tls
documentation. The goal is that people who are
upgrading are aware and can use the option if they
run into issues, but otherwise the option is not
visible/used.
PR-URL: https://github.com/nodejs/node/pull/3890
Fixes: https://github.com/nodejs/LTS/issues/49
Reviewed-By: Myles Borins <mborins@us.ibm.com>
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
This is a roll-up release that includes all changes to npm since 2.13.4.
PR-URL: https://github.com/nodejs/node/pull/3684
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fix the following build error by putting #if guards around the
variables:
../src/node.cc: In function 'void node::ParseArgs(int*,
const char**, int*, const char***, int*, const char***)':
../src/node.cc:3037:7: error: 'SSL2_ENABLE' was not declared
in this scope
SSL2_ENABLE = true;
^
../src/node.cc:3039:7: error: 'SSL3_ENABLE' was not declared
in this scope
SSL3_ENABLE = true;
Fixes: https://github.com/nodejs/node-v0.x-archive/issues/8645
PR-URL: https://github.com/nodejs/node/pull/3825
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
caeb677
Do not abort the process if an error is thrown from within a domain,
an error handler is setup for the domain and
--abort-on-uncaught-exception was passed on the command line.
However, if an error is thrown from within the top-level domain's
error handler and --abort-on-uncaught-exception was passed on the
command line, make the process abort.
Fixes: #8877
Fixes: https://github.com/nodejs/node-v0.x-archive/issues/8877
PR-URL: https://github.com/nodejs/node-v0.x-archive/pull/25835
Reviewed-By: misterdjules - Julien Gilli <jgilli@nodejs.org>
Try the next version of Microsoft Visual Studio when vcvarsall.bat
fails to set VCINSTALLDIR.
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Gibson Fahnestock
Shigeki Ohtsu
Michael Dawson
João Reis
Rod Vagg
Ben Noordhuis
James M Snell
Rich Trott
Brian White
Julien Gilli
Jörg Krause
Trevor Norris
Richard Lau
Fedor Indutny
Forrest L Norvell
Jeremy Whitlock